ARP Address Resolution Protocol
1. What is ARP Address Resolution Protocol?
The ARP protocol is the Address Resolution Protocol, which is used for mapping between 32-bit IPV4 addresses and Ethernet 48-bit MAC addresses, and ARP can only work when they are in the same IP subnet system .
Second, capture packets to understand the ARP protocol
In the same LAN
1. The IP address of host A is 192.168.22.22 and the MAC address is E8-6A-64-75-B7-C6
2. The IP address of host B is 192.168.22.70 and the MAC address is F6-AF-73-BB- DF-45
3. Host Aping host B
4. Check the entry of host A ARP cache,
you can see the MAC address of host B, dynamic means from ARP learning, if it is static through manual input.
5. While host Aping host B, use wireshark to capture packets.
Before capturing packets, first give the ARP frame format used when the IPv4 address is mapped to a 48-bit MAC (Ethernet) address, which is convenient for the following analysis.
Field 1: It is the destination Ethernet address of the ARP request. When all 1s represent the broadcast address, the purpose is to allow all hosts on the LAN to receive the ARP request packet;
Field 2: MAC address for sending ARP request;
Field 3: Ethernet frame type, which indicates the type of large data in the back, and the value of the ARP request and ARP response packets is 0X0806;
Field 4: Indicates the type of hardware address, the hardware address is more than one type of Ethernet, and the value of Ethernet type is 1;
Field 5: Indicates the protocol address type to be mapped. When mapping an IPv4 address, this value is 0X0800;
Fields 6 and 7: indicate the length of the hardware address and the length of the protocol address respectively, the MAC address occupies 6 bytes, and the IP address occupies 4 bytes;
Field 8: Indicates the operation type field, a value of 1 indicates an ARP request, a value of 2 indicates an ARP response, a value of 3 indicates a RARP request, and a value of 4 indicates an RARP response;
Field 9: Indicates the hardware address of the sender's ARP request or response, that is, the source MAC address, which is the same as 2;
Field 10: Indicates the IP address sending the ARP request or response;
Fields 11 and 12: respectively represent the hardware address and protocol address of the destination.
The 14 bytes of the first 3 fields are the header of Ethernet, and the 28 bytes of the next 9 fields are the information of ARP request/response.
- request package
Since host A does not cache the MAC address of host B, ARP broadcasts directly.
1. Ethernet destination address (Destination): ff:ff:ff:ff:ff:ff, this address is all 1, which is the broadcast address;
2. Ethernet source address (Source): E8-6A-64-75-B7-C6
3. Frame type (Type): ARP (0x0806);
4. Hardware type (Hardware): Ethernet(1);
5. Protocol type (Protocol): IPv4 (0x0800);
6. Hardware address length (Hardware size): 6
7. Protocol address length (Protocol): 4
8. Opcode: The operation type is ARP request request(1)
9. Sender MAC address: E8-6A-64-75-B7-C6
10. Sender IP address: 192.169.22.22
11. Target MAC address (Target MAC address): 00:00:00:00:00:00 (this address needs to be obtained according to the target IP, and it is all 0 in the request message);
12. Target IP address: 192.169.22.70;
- The reply
packet encapsulates its own MAC F6-AF-73-BB-DF-45 into an ARP message and then replies to the requester. The field meaning of the reply packet is similar to that of requset, and the op is: reply(2).
An interesting phenomenon is that after host A searches for the MAC address of host B, host B will also broadcast in the LAN to find the MAC address of host A.
